Details

Computing and communicating through the Web makes it virtually impossible to
leave the past behind. College Facebook posts or pictures can resurface during a
job interview; a lost or stolen laptop can expose personal photos or messages;
or a legal investigation can subpoena the entire contents of a home or work
computer, uncovering incriminating or just embarrassing details from the past.

Vanish is a research system designed to give users control over the
lifetime of personal data stored on the web or in the cloud. Specifically, all
copies of Vanish encrypted data — even archived or cached copies — will becomepermanently unreadable at a specific time, without any action on the
part of the user or any third party or centralized service.
For example, using the Firefox Vanish plugin, a user can create an
email, a Google Doc document, a Facebook message, or a blog comment — specifying
that the document or message should "vanish" in 8 hours. Before that 8-hour
timeout expires, anyone who has access to the data can read it; however after
that timer expires, nobody can read that web content — not the user, not Google,
not Facebook, not a hacker who breaks into the cloud service, and not even
someone who obtains a warrant for that data. That data — regardless of where
stored or archived prior to the timeout — simply self-destructs and becomes
permanently unreadable.

Motivation and Brief
Description:

An enormous amount of private data is now stored on the web or in the cloud,
outside the end-user's control. If you send a sensitive email to a close friend,
for example, you have no idea where that email will be stored or when it will be
deleted. Web-based email systems may back up the message, potentially forever,
even if you delete it. Similarly, when you send a message via Facebook or create
a Google Doc, you have no idea where and for how long copies of your data will
be stored.
Given this situation, users cannot control the lifetimes of their data stored
in the cloud. This amplifies privacy risks since private data (even thought to
be deleted) could be disclosed weeks, months, or years after that data was first
stored. There are knownexamples of data remaining in the cloud long
after users explicitly request that data's deletion. Private data could be
exposed by accidentalmisconfigurations on a web service, be
compromised byhackers, or be used in legal proceedings. A
2004news articlesays: Don't ever say
anything on e-mail or text messaging that you don't want to come back and bite
you.
We created self-destructing data to try to address this problem. Our
prototype system, called Vanish, shares some properties with existing
encryption systems like PGP, but there are also some major differences. First,
someone using Vanish to "encrypt/encapsulate" information, like an email, never
learns the encryption key. Second, there is a pre-specified timeout associated
with each encrypted/encapsulated messages. Prior to the timeout, anyone can read
the encrypted/encapsulated message. After the timeout, no one can read that
message, because the encryption key is lost due to a set of both natural and
programmed processes. It is therefore impossible for anyone to decrypt/decapsulate
that email after the timer expires.

Under the Hood:

Our technical paper, which will appear at the18 th USENIX Security Symposium in August,
describes the concepts behind Vanish in detail. Briefly, as mentioned above, the
user never knows the encryption key. This means that there is no risk of the
user exposing that key at some point in the future, perhaps through coercion,
court order, or compromise. So what do we do with the key? We could escrow it
with a third party, but that raises serious trust issues (e.g., the case withHushmail).
Instead, we leverage an unusual storage media in a novel way: namely,
global-scale peer-to-peer networks. Vanish creates a secret key to encrypt a
user's data item (such as an email), breaks the key into many pieces and then
sprinkles the pieces across the P2P network. As machines constantly join and
leave the P2P network, the pieces of the key gradually disappear. By the time
the hacker or someone with a subpoena actually tries to obtain access to the
message, the pieces of the key will have permanently disappeared.
Our Vanish prototype uses theVuze Bittorrent Distributed Hash Table as the
underlying P2P network. Our prototype by default supports data timeouts of8--9 hours, though longer timeouts are
possible.
In many ways Vanish begins to approximate the ephemeral nature of a phone
call. While our system is still a research prototype and we encourage people
treat it with a skeptical eye for now (like any new security system), one could
envision it or a derivative being used in corporate settings, when talking with
lawyers, or when conducting a variety of private matters online. For example,
many people pick up the phone instead of send an email for fear of leaving
breadcrumbs of digital forensic trails. But now there's Vanish.

Vanishing Beyond the Web:

While Vanish prototype is focused on empowering users to control the lifetime
of their web content, Vanish itself is much more broadly applicable than that.
We provide for download both the main Vanish application and a Firefox Vanish
plugin. The Firefox plugin uses the Vanish application as a client. Other
applications can similarly leverage the main Vanish application.
For example, one can create a Vanishing trash bin application. Users could
put data into the Vanish trash bin, and recover that data before the timer
expires. After the timer expires, however, the data self-destructs and is no
longer available. This self-destruction would even happen if the machine was
turned off prior to expiration and someone, perhaps at aborder crossing or with a warrant, were to
seize the computer and create an exact copy of the computer's disks before the
timeout occurs.
About the Researcher :

1. Henry M. Levy

Chairman and Wissner-Slivka
Chair
Department of Computer Science and Engineering
University of Washington

Henry M. Levy holds the Wissner-Slivka Chair in Computer Science
and Engineering at the University of Washington. Hank's research projects
focus on operating systems, distributed and parallel computing, the world-wide
web, and computer architecture.
2. Tadayoshi Kohno Assistant Professor
Department of Computer Science and Engineering
University of Washington 3. Roxana Geambasu:
Graduate Student Computer Science and EngineeringUniversity of Washington